With the 2018 conclusion of the EU-GDPR grace period looming and the POPI compliance deadline creeping nearer and nearer, a lot of enterprises are in the process of reassessing their data protection strategies. The prospect of possible imprisonment and millions of rand in penalties for non-compliance has made CTOs understandably risk-averse, and many are questioning the viability of extending their deployments into the cloud under the circumstances.
Admittedly, this is scarcely an unexpected result. Typically unfounded fears around cloud security have abounded since its inception, and upping the ante with serious consequences for breaches isn’t setting anyone’s mind at ease. What most people don’t realise, however, is that a well-planned and implemented cloud migration is actually one of the best ways to streamline – and often enhance – enterprise data security both onsite and in the cloud.
Now, I’m not talking about Microsoft Office 365’s native security features here (although they are top notch). Nor am I trying to point out the strengths of the many, excellent solutions adding additional control and visibility to the cloud. The real key for enterprises migrating to the cloud with POPI and EU-GDPR requirements in mind lies not in the final destination, but in the journey itself.
Do the prep
If “preparation, preparation, preparation” isn’t your migration partner’s motto, you should seriously reconsider letting them anywhere near your deployment, because a proper roadmap to the cloud is essential for a smooth, controlled and compliant transition. Any partner worth their salt should insist on a comprehensive planning process prior to a migration, and that process should include a detailed outline of your current and future security and compliance requirements.
At Cloud Essentials, we call this our Security Baseline Workshop. It covers everything from the native security features available to a client based on their Office 365 and Azure licensing, to how these tie into their existing corporate data governance policies, and the configuration necessary to achieve the desired levels of compliance. We explore and define data sovereignty requirements, permissions, and administrative controls as well as identity and access management protocols, data loss protection, mobile device management and more.
The result is essentially a fully defined and up-to-date data governance policy and implementation plan. And since onsite and cloud data governance policies need to mirror one another for a good user experience, it often improves your overall security posture both in the cloud and onsite at the same time.
But wait; there’s more!
Classify your data
As part of a responsible migration, a client’s existing user content will generally be assessed to classify unstructured data that needs to be migrated, separate it from ROT that can be defensibly deleted, and identify sensitive information hidden amongst the general clutter. By doing this, we can not only ensure that compliance is maintained throughout the migration process (and afterwards), but also highlight potential security issues in any remaining onsite architecture as well – another double win.
Be responsible by choice, not just necessity
POPI and EU-GDPR may be the driving force behind most South African and European enterprises’ renewed interest in data protection, but when it comes to cloud migrations, they’re really only reinforcing best practices that are already in place. A trusted and experienced migration partner should leverage the powerful native security features already available to you within your cloud licensing to protect your sensitive information and improve your return on investment, regardless of legal requirements. Your data is a valuable asset, and should be treated that way.